Yes but this is discussing deliberately injecting malware into an open source project, which differs from exploiting a vulnerability that exists in one.